Sizzle - بالعربي
حل sizzle بالعربي
Recon
nmap
nmap -sV -sC -F -Pn 10.10.10.103استخدمت -F كرمال يعمل ال scan او الفحص بسرعة لاني جيت و عملت -p- لكل ال ports و طول كتير
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-19 01:49 EDT
Nmap scan report for 10.10.10.103
Host is up (0.49s latency).
Not shown: 92 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2021-05-19T06:07:04+00:00; +15m54s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2021-05-19T06:07:04+00:00; +15m54s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
445/tcp open microsoft-ds?
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 15m53s, deviation: 0s, median: 15m53s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-05-19T06:06:25
|_ start_date: 2021-05-19T00:11:30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.26 seconds
في بالنتائج sizzle.htb.local ضيفه لل
/etc/hosts
FTP
ادخل ك anonymous ب مستخدم و كلمة سر anonymous / anonymous
متل ما شايف لاشيء, فقررت اتجه للويب
Web :80
شكل الموقع
السورس كود مافيو شي
تفقد الويب, تقفد ال 445 port اتفقد ال ssl certificate ليكون في شي هنيك انا ما انتبهتلو, عملت directory enum و لقيت كم شغلة مثيرة للاهتمام بس ما مفيدة جدا
هون 403 و ممنوع في شوية طرق و تريكات ممكن نجربها بس حاليا ما رح جربها و امشي للبعده و لو ما زبط معي شي بعدين برجع لهون و بجرب
بالمسار هاد
https://sizzle.htb.local/certsrv
عم يطلب اسم مستخدم و كلمة سر و هيدا اصلا simple authentication و بطبيعة الحال ممكن نعمل عليه تخمين
, رحت لل SMB
SMB
smbclient -L 10.10.10.103Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
CertEnroll Disk Active Directory Certificate Services share
Department Shares Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Operations Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
القرص الاسمه CertEnroll مثير للاهتمام لانو فوق بالويب عنا نفس المسار بس ما النا صلاحيات نعمل فيه شي, ف نروح لل Department Shares
smbclient "//10.10.10.103/Department Shares"smb: \> dir
. D 0 Tue Jul 3 11:22:32 2018
.. D 0 Tue Jul 3 11:22:32 2018
Accounting D 0 Mon Jul 2 15:21:43 2018
Audit D 0 Mon Jul 2 15:14:28 2018
Banking D 0 Tue Jul 3 11:22:39 2018
CEO_protected D 0 Mon Jul 2 15:15:01 2018
Devops D 0 Mon Jul 2 15:19:33 2018
Finance D 0 Mon Jul 2 15:11:57 2018
HR D 0 Mon Jul 2 15:16:11 2018
Infosec D 0 Mon Jul 2 15:14:24 2018
Infrastructure D 0 Mon Jul 2 15:13:59 2018
IT D 0 Mon Jul 2 15:12:04 2018
Legal D 0 Mon Jul 2 15:12:09 2018
M&A D 0 Mon Jul 2 15:15:25 2018
Marketing D 0 Mon Jul 2 15:14:43 2018
R&D D 0 Mon Jul 2 15:11:47 2018
Sales D 0 Mon Jul 2 15:14:37 2018
Security D 0 Mon Jul 2 15:21:47 2018
Tax D 0 Mon Jul 2 15:16:54 2018
Users D 0 Tue Jul 10 17:39:32 2018
ZZ_ARCHIVE D 0 Mon Jul 2 15:32:58 2018
7779839 blocks of size 4096. 3552765 blocks available
ننزلهم بالاول
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *جوا ال users رح تلاقي اسماء مستخدمين هدول ممكن تاخدهم ك user list حاولت ابحبش هون و هنيك و ماطلعت بشي فهون قعدت افكر في شغلة ممكن نطلع عليها و هو ازا في الك صلاحيات الكتابة على ال disks و الصراحة ما بتذكر ولا ب pentest ولا ب bug hunting شفت يهي موجودة, بس بالاخر هي CTF و كلو ممكن ف رح نعمل الاتي
اول شي اعمل مجلد
mkdir mountتاني شي بأمر mount اعمل mount لل disk لملف الي سويته من شوي
sudo mount -t cifs "//10.10.10.103/Department Shares" mountرح يطلب منك كلمة سر كلاتي, اضغط enter و بس
Password for root@//10.10.10.103/Department Shares: اعمل ls -la
طيب متل ما شايف هي الملفات تبعيتنا , حسب الصلاحيات الي بالاحمر انو انا فيني اكتب على الموجود بما اني رووت فخلينا نجرب نكتب , نعمل ملف مثلا
متل ما هو واضح Permission denied, من الاخر يا معلم عم يأحطلنا (ينفض, يطرد,يقلع ... الخ من المرادفات الظريفة) فاجا ببالي اني اعمل one line command هاد عبارة عن امر باش من سطر واحد بدخل و يجرب يكتب بكل المجلدات
Enum write permission first shot
for i in $(ls);do touch $i/test.txt;donetouch: cannot touch 'Accounting/test.txt': Permission denied
touch: cannot touch 'Audit/test.txt': Permission denied
touch: cannot touch 'Banking/test.txt': Permission denied
touch: cannot touch 'CEO_protected/test.txt': Permission denied
touch: cannot touch 'Devops/test.txt': Permission denied
touch: cannot touch 'Finance/test.txt': Permission denied
touch: cannot touch 'HR/test.txt': Permission denied
touch: cannot touch 'Infosec/test.txt': Permission denied
touch: cannot touch 'Infrastructure/test.txt': Permission denied
touch: cannot touch 'IT/test.txt': Permission denied
touch: cannot touch 'Legal/test.txt': Permission denied
touch: cannot touch 'M&A/test.txt': Permission denied
touch: cannot touch 'Marketing/test.txt': Permission denied
touch: cannot touch 'R&D/test.txt': Permission denied
touch: cannot touch 'Sales/test.txt': Permission denied
touch: cannot touch 'Security/test.txt': Permission denied
touch: cannot touch 'Tax/test.txt': Permission denied
touch: cannot touch 'Users/test.txt': Permission denied
touch: cannot touch 'ZZ_ARCHIVE/test.txt': Permission deniedطبعا يال الجمال كلو permission denied, بس لا للإستسلام لا للتراجع
Enum write permission second shot
اتذكرت انو باداة smbcacls ممكن اشوف الأذونات او بالضبط ال ACL !
اول شي نشوف المجلدات الاساسية متل ما عملنا اول مرة بس هي المرة بأداة smbcacls
for i in $(ls);do echo "\n"$i;smbcacls -N "//10.10.10.103/Department Shares" $i;doneالمفروض يطلعلك متل هيك
Accounting
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Audit
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Banking
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
CEO_protected
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Devops
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Finance
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
HR
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Infosec
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Infrastructure
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
IT
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Legal
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
M&A
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Marketing
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
R&D
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Sales
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Security
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Tax
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
Users
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/0x0/READ
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
ZZ_ARCHIVE
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULLنحن عم نطلع على ال ACL الي هي
ACL:Everyone:ALLOWED/OI|CI/FULLهي بتعني ان الكل عند الأذونات و الوصول الكامل, عنا ال ZZ_ARCHIVE عنده هي ال ACL هاد بعني انو منقدر نكتب هون
هلق نشوف الي جوا هي المجلدات
for i in $(ls);for x in $(ls $i);do echo "\n"$i"/"$x;smbcacls -N "//10.10.10.103/Department Shares" $i/$x;doneرح تطلعلك كمية داتا كتير, بس رح تلاقي ال ACL البدنا ب
/Users/Public
Users/Public
REVISION:1
CONTROL:SR|DI|DP
OWNER:BUILTIN\Administrators
GROUP:HTB\Domain Users
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:S-1-5-21-2379389067-1826974543-3574127760-1000:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULLهيك عنا مكانين منقدر نكتب فيهم
Exploit
SCF File Attack
كل هي العملية ليش؟ لانو في نوع هجوم اسمو SCF File Attack (اضغط هنا)
amanda::HTB:9be9fd34c0e927f8:BBA79C2B7D92BD323728695003F2D7CA:0101000000000000C0653150DE09D201C447124086C661E1000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D2010600040002000000080030003000000000000000010000000020000047E5928C44FD28913B4318D651F8DE351D58BDD648F9FF9C56F18F7743C915B70A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310036002E00310036003000000000000000000000000000hashcat.exe -m 5600 amanda_ntlmhash.txt rockyou.txt -d 1AMANDA::HTB:9be9fd34c0e927f8:bba79c2b7d92bd323728695003f2d7ca:0101000000000000c0653150de09d201c447124086c661e1000000000200080053004d004200330001001e00570049004e002d00500052004800340039003200520051004100460056000400140053004d00420033002e006c006f00630061006c000300340057004
9004e002d00500052004800340039003200520051004100460056002e0053004d00420033002e006c006f00630061006c000500140053004d00420033002e006c006f00630061006c0007000800c0653150de09d2010600040002000000080030003000000000000000010000000020000047e5928c44fd28913b4318d651f8de351d58bdd648f9
ff9c56f18f7743c915b70a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310036002e00310036003000000000000000000000000000:Ashare1972CREDS: amanda:Ashare1972
Last updated
Was this helpful?